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May 22, 2017 


Windows, Spying, and a Twitter Rant 



Yesterday, I was testing out some privacy settings in Windows and ran across a bunch of stuff that concerned me. So I 
ranted about it on Twitter (see thread): 


Now those who know me know that I rant about this stuff all the time. Except this time it got quite a few retweets 
than usual and a lot of others ran with it. As a number of people pointed out, there were some problems with how I 
applied a couple of the group policy settings. And looking back, I can't even say I'm 100% sure if I rebooted after 
applying the settings (although I did do a gpupdate). So no, this was by no means a clean test. It wasn't meant to be a 
published finding, it was a Twitter rant. 

Not all the criticism towards how I set my settings was valid but I'm not going to bother addressing that. Instead, I ran 
more formal tests in a controlled environment to get more accurate results. 

But first let me explain that I have been using Windows exclusively on my desktop for more than twenty-five years. In 
the early 90's I did Windows tech support for a major computer company. In the late 90's I worked for a software 
company as Director of Microsoft-Based Development. I wrote a column for SecurityFocus.com on Windows security. I 
have written for Windows IT Pro Magazine, Redmond Magazine, Windows Web Solutions, Windows Secrets and 
others. I also wrote a book on ASP.NET security. Microsoft awarded me with the Most Valuable Professional (MVP) 
award seven times. Windows is kinda my thing. 

But that thing changed with Windows 10. A shift in Microsoft's philosophy has lead to a massive collection of data 
from Windows computers. For me, it's not only a privacy issue but a security issue. — it's hard to control what is 
happening on your computer when you aren't in control. 

But back to my tests. As I mentioned before there were too many variables I had in my more casual tests and I was a 
bit sloppy with some settings so I started with a clean build. This is what I did: 

1. Installed the OS (Windows 10 Enterprise Build 1506B) in a VirtualBox virtual machine (CentOS host) with no 
network adapter. 


2. Installed virtualbox client extensions. 












3. Applied the Windows Restricted Traffic Limited Functionality Baseline that Microsoft publishes (more info) . 

4. Manually uninstalled Solitaire and Feedback Hub, the only apps left Windows would let me uninstall. 

5. Shut down the virtual machine. 

6. Added NIC tracing in VirtualBox using this command: 

vboxmanage mod'Lfyvm "WinlOETest"—nictracel on—nictracefilel windows.pcap 

7. Enabled the NIC. 

8. Started the virtual machine. 

9. Logged in. 

10. Pinged 8.8.8.8 to verify network connectivity. 

11. Let it sit untouched overnight. 

To save you all the suspense, yes this test resulted in much less activity than my initial test (put away the pitchforks). 
Less, but still too much (get out the pitchforks). 

What was the difference? The main difference is that the baseline sets many more settings than I did in my test. 
Another part of it surely was the fact that I did not set all of the settings I thought I had set. For example, I only set 
two settings for disabling SmartScreen, instead of considering all of these: 

[ Configure App Install Control 
l_ C o nfi g u re Wi n d ows D ef en d er Sm a rtSc reen 
Configure Windows Defender SmartScreen 
[EE C o nf i g u re Wi n d o ws D ef en d er Sm a rtSc reen 
[EEj Configure Wi n d o ws D ef en d er Sm a rtSc reen 
\\z\ Prevent bypassing SmartScreen Filter warnings 
J] Prevent bypassing SmartScreen Filter warnings about files th. 

[EEj Prevent bypassing Windows Defender SmartScreen prompts. 

[EEj Prevent bypassing Windows Defender SmartScreen prompts. 

Jr, Prevent bypassing Windows Defender SmartScreen prompts. 

I. Prevent bypassing Windows Defender SmartScreen prompts. 

T P revent managing Sma rtSc reen F i Iter 
Jr, Turn off Managing SmartScreen Filter for Internet Explorer & 
j:E| Turn on SmartScreen Filter scan 
[E: T u rn o n Sm a rtSc reen F i Iter sc a n 
[EEj Turn on SmartScreen Filter scan 
|lr Turn on SmartScreen Filter scan 
Turn on SmartScreen Filter scan 
Turn on SmartScreen Filter scan 
l Turn on SmartScreen Filter scan 
TEjTurn on SmartScreen Filter scan 
[E=] Turn on SmartScreen Filter scan 
Turn on SmartScreen Filter scan 


For the record, I don't recommend disabling SmartScreen. 

Of course, you don't need to set all of those, there is some overlap, I'm pretty sure you only need to set 2-5. 





And several people noted that I had set the Allow Telemetry policy incorrectly. Now this was just sloppiness on my 
part and totally my mistake, but you can see how others might find it easy to get confused with the incorrect way to 
disable telemetry (enable the policy and then disable below, if you scroll down it in the dialog box it explains this): 


Allow Telemetry 


□ X 


A I low Tel em etry 


Previous Setting 


Next Setting 


O Not Configured 
O Enabled 
® Disabled 


Options: 




This policy setting determines the amount of Windows 
diagnostic data sent to Microsoft, A value of 0 (Security] will 
send minimal data to Microsoft to keep Windows secure. 
Windows security components such as Malicious Software 
Removal Tool (MSRT) and Windows Defender may send data to 
Microsoft at this level if they are enabled. Setting a value of 0 
applies to Enterprise, EDU, loT and Server devices only. Setting a 
value of 0 for other devices is equivalent to setting a value of 1 . 

A value of 1 (Basic) sends the same data as a value of ® r plus a 
very limited amount of diagnostic data such as basic device info, 
quality-related data, and app compatibility info. Note that 
setting values of 0 or 1 will degrade certain experiences on the 
device. 

A value of 2 (Enhanced] sends the same data as a value of 1, plus 
additional data such as how Windows, Windows Server, System 
Center, and apps are used, how they perform, and advanced 
reliability data. 

A value of 3 (Full) sends the same data as a value of 2, plus 


OK 


Cancel 


Apply 


The wrong way to do it 

And yet compare that with the correct way to disable SmartScreen (this time set the policy to disabled, ignore the box 
below): 



















^ Configure Windows Defender SmartScreen 


□ 


X 


Co nf ig u re Wi ndows Defender SmartScreen 


Previous Setting 


Next Setting 


O Not Configured 
O Enabled 
® Disabled 


Options: 



Pick one of the following settings: 


This policy allows you to turn Windows Defender SmartScreen 
on or off. Snn a rtScreen helps protect PCs by warning users 
before running potentially malicious programs downloaded 
from the Internet. This warning is presented as an interstitial 
dialog shown before running an app that has been downloaded 
from the Internet and is unrecognized or known to be malicious. 
No dialog is shown for apps that do not appearto be suspicious. 

Some information is sent to Microsoft about files and programs 
run on PCs with this feature enabled. 

If you enablethis policy,. SmartScreen will beturned on for all 
users. Its behavior can be controlled by the following options: 

‘Warn and prevent bypass 
- Warn| 

If you enablethis policy with the "Warn and prevent bypass" 
option, SmartScreen's dialogs will not present the user with the 
option to disregard the warning and run the app. SmartScreen 
will continue to show the warning on subsequent attempts to 


OK 


Cancel 


The right way for this setting 


Now about that Windows Restricted Traffic Limited Functionality Baseline. It does cut back on traffic significantly, but 
does it block everything? No, it still collects some telemetry info. And it doesn't disable this setting letting Microsoft 
track which programs you run: 


Let Windows track app launches to improve Start and search 
results 

On 


Or this: 





















Tasks 


Privacy Statement 


Choose apps that can access tasks 

Some apps need access to your tasks to work as intended. Turning 
off an app here might limit what it can do. 

The following built-in apps always have access to your tasks: Mail 
and Calendar, 


Or this: 

App Diagnostics 

Let apps access diagnostic information 
On 

Privacy Statement 

Learn more about app diagnostics privacy settings 


Choose apps that can access diagnostic 
information about other apps 

Some apps use diagnostic information from other apps on your 
device to run as intended. Diagnostic information may include the 
names of running apps, the user account name that launched an 
app, app memory, CPU, disk, and network usage. Preventing access 
to diagnostic information may limit what an app that uses that 
information can do. 


There's also any telemetry from .NET, Office, Windows Error Reporting, Windows DRM, and many other apps and 
software components. 

On the other hand, the Windows Restricted Traffic Limited Functionality Baseline does mess things up quite a bit: 


No root SSL certificate updates: 


ffi *3 E3 Certificate error: Naviga X + 


<- -> O 


microsoftcom 



This site is not secure 

This might mean that someone's trying to fool you or steal any info 
you send to the server. You should dose this site immediately. 

H Go to your Start page 


Details 

Your PC doesn’t trust this website’s security certificate. 

Error Code; DLG_FLAGS_II\IVALID_CA 

Go on to the webpage (Not recommended) 


No driver updates (but still a OneDrive nag although OneDrive is disabled by policy): 






ACTION CENTER 


Gear alt 


O Settings 


Searching for Display Driver 

Screen resolution, performance and battery life v 

11:12p 


OneDrive 


Get to your files from anywhere 

OneDrive is your free online storage.' v 

10:28p 


Windows and other apps think the internet is not connected: 


Status 


Network status 


a— g. @ 

Ethernet 

No Internet access 

Your device is connected and can access other devices on 
your local network, but may not be able to reach the Internet, 
If you have a limited data plan, you can make this network a 
metered connection or change other properties, 


A Troubleshoot 


No Windows Update (although your organization probably wants to manage those with WSUS anyway): 










Windows Update 

*Some settings are hidden or managed by your organization. 


Update status 



We couldn't connect to the update service. Well try again later, or you can check 
now. If it still doesn't work* make sure you're connected to the Internet. 


Retry 


Update history 


And many EventLog errors: 


error 

i aivi 

uisrrmuregi_uivi 

IIHHJI 

none 

'^Warning 

5/22/2017 11:0ft 37 AM 

DeviceSetupManager 

200 

None 

[^Warning 

5/22/2017 11:09:37 AM 

DeviceSetupManager 

202 

None 

Warning 

5/22/201711:09:37 AM 

DeviceSetupManager 

200 

None 

^Warning 

5/22/201711:09:37 AM 

DeviceSetupManager 

202 

None 

[^Warning 

5/22/2017 11:09:37 AM 

DeviceSetupManager 

200 

None 

"^Warning 

5/22/2017 11:09:37 AM 

D evi c eSetu p M a n a g er 

202 

None 

^Warning 

5/22/2017 11:09e37 AM 

DeviceSetupManager 

200 

None 

A Warning 

5/22/2017 11:09:37 AM 

DeviceSetupManager 

202 

None 

A Warning 

5/22/2017 11:09s 37 AM 

DeviceSetupManager 

200 

None 

^Warning 

5/22/2017 11:09:37 AM 

D evi c eSetu p M a n a g er 

202 

None 

! ^ Warning 

5/22/2017 11:09:37 AM 

DeviceSetupManager 

200 

None 

^Warning 

5/22/2017 11:09:37 AM 

DeviceSetupManager 

202 

None 

O' Error 

5/22/2017 11:03:03 AM 

Apps 

5973 

(5973) 

0 Error 

5/22/2017 11:03:03 AM 

DistributedCOM 

10001 

None 

'0' Error 

5/22/2017 11:03:03 AM 

Apps 

5973 

(5973) 

0 Error 

5/22/2017 11:03:03 AM 

DistributedCOM 

10001 

None 

■©'Error 

5/22/2017 10:52:35 AM 

Apps 

5973 

(5973) 

'0' Error 

5/22/2017 10s 52:35 AM 

DistributedCOM 

10001 

None 

■©Error 

5/22/2017 10:52:35 AM 

Apps 

5973 

(5973) 

©.'Error 

5/22/2017 1052:35 AM 

DistributedCOM 

10001 

None 

0 Error 

5/22/2017 1037:34 AM 

Apps 

5973 

(5973) 

0 Error 

5/22/2017 10:37:34 AM 

DistributedCOM 

10001 

None 

0 Error 

5/22/2017 10:29:16 AM 

Apps 

5973 

(5973) 

0 Error 

5/22/2017 10:29:10 AM 

DistributedCOM 

10001 

None 

0 Error 

5/22/2017 10:24:42 AM 

Service Control Man... 

7023 

None 

^Warning 

5/22/2017 1024:41 AM 

D evi c eSetu p M a n a g er 

201 

None 

[^Warning 

5/22/2017 1024:41 AM 

DeviceSetupManager 

202 

None 

! ^ Warning 

5/22/2017 1024:41 AM 

DeviceSetupManager 

201 

None 

S^Warning 

5/22/2017 1024:41 AM 

DeviceSetupManager 

202 

None 

^Warning 

5/22/2017 1024:41 AM 

DeviceSetupManager 

201 

None 

A Warning 

5/22/2017 1024:41 AM 

DeviceSetupManager 

202 

None 









As you can see, even the recommended method for eliminating data collection isn't completely effective and causes a 
number of problems. Therefore, if you have a volume license to buy Windows Enterprise (no, you can't buy just one), 
apply the Windows Restricted Traffic Limited Functionality Baseline before bringing it online, don't install anything, 
and don't use your computer, the data sent to Microsoft is quite minimal. 

If you don't have the Enterprise edition, the best you get is basic telemetry (see what they collect) , that is if you know 
to change it from the default enhanced levels (see what more they collect!) . For many users the telemetry and other 
tracking is set a the maximum default levels. 

The point of this article isn't to bash Microsoft or ditch Windows. We face the same thing with Apple, Google, and so 
many others. What we need to do is fix this, even if that means getting lawmakers involved. It can only get worse 
from here. 

Let me summarize this with a few key points: 

• I made mistakes on my original testing and therefore saw more connections than I should have, including 
some to Google ads. 

• You can cut back even more using the Windows Restricted Traffic Limited Functionality Baseline but break 
many things. 

• Settings can be set wrong if you aren't paying attention. Also, settings are not consistent and can be 
confusing to beginners. 

• You are opted-in to just about everything by default and have to set hundreds of settings to opt out, even 
on an Enterprise Windows system. Sometimes multiple settings for the same feature. Most Microsoft 
documentation discourages opting out and warns of a less optimal experience. It's almost like they don't 
want you to opt-out. 

• But you can't completely opt-out. Windows still tracks too much. 

• Home and Professional users are much worse off due to limitations of some settings and lack of an IT staff. 
I'm not going to bother with captures from those systems, this has already been shared by many others. 
Spoiler: it's bad. 

• I'm not saying ditch Windows. I'm saying let's fix this. If we can't fix it, then we ditch Windows. 




